Hacker Summer Camp 2016 has come and gone. I have the badges to prove it. (I also have an average daily mileage count of 13 and blisters to prove it.) Hacker Summer Camp is a good as it gets, with 20,000-plus of my closest computer security professional friends in the confines of a Las Vegas hotel. By no means is it cheap, but the security education benefits far outweigh the costs.

To be clear, these are not the only conferences around. Other cons may not get the same level of notoriety as Black Hat or DEF CON, but they are still valuable for a variety of reasons.

The Pros of Attending Cons

As a professional in the community, attending a conference is paramount. Employers certainly see the benefit of encouraging employees to attend conferences throughout the year. There is no con, so to speak, in attending a con.


The first and most important benefit of attending conferences is the opportunity to network. You can’t put a price tag on it — it’s all about relationships. While we as a practicing group (DEFENDER/BLUETEAM) don’t talk to each other enough, attackers do. I spoke at a small conference a few weeks ago and found out that loss prevention teams hold meetings to discuss the how, what and where of shoplifters’ activities. They also work with competitors and police to stop retail theft, including point-of-sale (POS) and ATM thefts.

I asked about the network security teams and found that they do not participate. It seems like a half-baked idea to share theft analytics but not IT-related issues regarding attacks and defense strategies. Sharing information and knowledge strengthens the community as a whole.

Security Education

Security education is the second benefit. Most security certifications require some kind of continuing education, and one conference can often cover the security education requirement for the year. Some presenters are actual instructors, while others are engineers or security practitioners. Nearly all have real-world experience in the security field, which is more valuable than dry information from a book.

Again, if we BLUETEAM folks were getting better at our jobs, attack surfaces would be getting smaller and the number of high-profile attacks and vulnerability disclosures would shrink proportionally. Unfortunately, that is not the case.

Community Outreach

Another benefit is community outreach. We are all professionals, though we may not always act like it. This community is built on mentorships, which often form at conferences and networking events. All conferences offer opportunities to be mentored or become a mentor — sometimes both. Smaller cons provide attendees a better chance to interact with speakers, while larger events offer opportunities to meet mentors from the within the crowd.

Conferences for All Budgets and Experience Levels

Despite the many benefits of attending security conferences, the costs can seem prohibitive. A ticket to Black Hat, for example, costs a few thousand dollars, while DEF CON is priced somewhere around $250. Combined with the costs of airfare, lodging, food and time missed from work, the bill adds up.

But Black Hat and DEF CON are not the only two games in town. BSides are amazing small-money conferences — some are even free or offer opportunities to volunteer in exchange for a ticket. Many are within a two-hour drive from major cities.

The RSA Conference is vendor-heavy, as is Black Hat. These conferences offer face time with the vendors of your choice. Sometimes you can even score face time with technical experts.

DerbyCon is the largest security conference in the Southern U.S. ToorCon and ShmooCon are also incredible conferences to attend, along with CanSecWest and SecTor. You could attend all the conferences mentioned above, but that would be ill-advised even for seasoned security professionals. Neither your wallet nor your liver could take it.

No matter the conference, and no matter its size, we were all con newbies once. You don’t need to be a cybersecurity expert to attend as long as you’re willing to learn. If you don’t know anybody, you are guaranteed to make new friends before you leave. All you have to do is say hello. DEF CON even has a 101 talk just for first-year attendees.

Giving Back

I volunteer. I give back. I am a red-shirt security goon at DEF CON. For me, it is a chance to work with the mentors who taught me throughout my career. and to interact with some of the brightest minds in the profession. It is also a chance for me to mentor those in attendance and fellow goons. Volunteering for a conference is a huge commitment, but it allows me to keep my focus our industry. It’s part of my professional development.

I also use it as a watermark for conducting job interviews. I want to see how serious you are about the cybersecurity community. It’s not a deal breaker if a candidate does not attend security conferences, but one who is plugged into that community certainly has a leg up. Plus, you can learn a lot about a person by which conferences he or she attends.

That’s a valuable lesson — and one that I learned at a security conference.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…